CVE-2026-1892— WeKan REST API boards.js setBoardOrgs improper authorization

CVSS 5.0 · Medium EPSS 0.02% · P6 Updated Feb 23, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-1892

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

WeKan REST API boards.js setBoardOrgs improper authorization

Source: NVD (National Vulnerability Database)

Vulnerability Description

A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. Upgrading to version 8.21 mitigates this issue. The name of the patch is cabfeed9a68e21c469bf206d8655941444b9912c. It is suggested to upgrade the affected component.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

授权机制不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

WeKan 授权问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WeKan是WeKan开源的一个看板应用程序。 WeKan 8.20及之前版本存在授权问题漏洞，该漏洞源于对参数item.cardId/item.checklistId/card.boardId的操作导致授权不当。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	WeKan	8.0	-

II. Public POCs for CVE-2026-1892

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-1892

请登录查看更多情报信息。

Same Patch Batch · n/a · 2026-02-04 · 12 CVEs total

CVE-2025-15555	7.3 HIGH	Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow
CVE-2026-1896	6.3 MEDIUM	WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration Migra
CVE-2026-1895	6.3 MEDIUM	WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control
CVE-2026-1894	6.3 MEDIUM	WeKan REST API checklistItems.js Checklist REST Bleed improper authorization
CVE-2026-1884	4.7 MEDIUM	ZenTao Webhook model.php fetchHook server-side request forgery
CVE-2025-69620		nTools Office Reader - PDF,Word,Excel 安全漏洞
CVE-2025-69621		Android Tools Comic Book Reader 安全漏洞
CVE-2025-69618		coto Tarot, Astro & Healing 安全漏洞
CVE-2025-70997		ELADMIN 安全漏洞
CVE-2025-70545		PPC 2K05X 安全漏洞
CVE-2025-71031		Melon 安全漏洞

IV. Related Vulnerabilities

Same product: WeKan

Same vendor: n/a

Same weakness: CWE-285

V. Comments for CVE-2026-1892

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-1892— WeKan REST API boards.js setBoardOrgs improper authorization

I. Basic Information for CVE-2026-1892

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-1892

III. Intelligence Information for CVE-2026-1892

Same Patch Batch · n/a · 2026-02-04 · 12 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-1892

Leave a comment